1 Reply Latest reply on Jul 13, 2015 3:21 AM by dariusz.wittek@intel.com

    Intel SCS Addon for SCCM 2012 Account question

    Michail Rudyi

      Are there any special considerations when using the networkservice account with the Intel SCS addons?  The SCS and SCCM would be on the same machine.  The SCCM machine account would already have local admin permissions on the clients.

        • 1. Re: Intel SCS Addon for SCCM 2012 Account question
          dariusz.wittek@intel.com

          Michail,

          this is more Intel SCS -RCS service related question:

          • SCCM requires AD integration  - Intel RCS runnig as Network Service account will require permissions for AD additional OU created for AMT ME objects  to be able to create and delete child computer objects (so you will grant propper delegation to this OU to RCS computer account)
          • SCCM requires TLS AMT setup - RCS will request AMT TLS certificate to be issued automatically for each Intel vPro/AMT based system  by your PKI CA (certs CA CAN'T be put to pending!).
            so RCS service running as Network Service Account (RCS Server Computer account) will need to be authorised for specified AMT TLS certificate template  Read and Enroll

            For Standalone CA - access to CA will be required for RSC service account.
          • if Remote Configuration PKI certificate based  method will be used to configure Intel AMT - AMT Remote Configuration certificate (the one you will order from Godaddy, Verisign or any other of 15 Public CA supported by default Intel ME FW) will have to be placed in RCS service  Personal Cert store - so either in RCS Computer  cert store or using RCSutils tool.

          If only Host Based Configuration will be used - Intel RCS is not required, although it can be still used for central secure store of AMT Configuration profiles.

           

          ACUConfig will be executed by SCCM agent -so in Local Computer account context

           

          As in Host Based Configuration case it will be ACUConfid.exe component which will create AD ME objects and request AMT TLS certs from your CA - then same access shall be granted to all Intel vPro /AMT based computer accounts to  AMT additional OU and AMT TLS certificate template - easiest way will be to grant it to Domain Computers.

           

          In Host Based Configuration AMT RCFG cert is not used at all so no need to purchase it neither import to any certificate store.

           

          rgds

          Darek